b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n PROTECTING PERSONALLY IDENTIFIABLE\n         INFORMATION ON THE\n  SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n            INTRANET SITES\n\n     August 2009    A-12-09-29118\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                          SOCIAL SECURITY\nMEMORANDUM\n\nDate:   August 19, 2009                                                                    Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Protecting Personally Identifiable Information on the Social Security Administration\xe2\x80\x99s\n        Intranet Sites (A-12-09-29118)\n\n\n        OBJECTIVE\n        Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n        Intranet sites were protecting personally identifiable information (PII).\n\n        BACKGROUND\n\n        Office of Management and Budget (OMB) Memorandum M-07-16 requires that\n        Executive agencies safeguard PII 1 in the Government\xe2\x80\x99s possession and prevent its\n        breach to ensure the Government retains the public\xe2\x80\x99s trust. This responsibility is shared\n        by officials accountable for administering operational, privacy, and security programs;\n        legal counsel; agencies\xe2\x80\x99 Inspectors General and other law enforcement; and public and\n        legislative affairs offices. 2 It is also a function of applicable laws, such as the Federal\n        Information Security Management Act of 2002 and the Privacy Act of 1974. 3 OMB\n        suggested three procedures to reduce the amount of PII available to unauthorized\n        users: 4\n\n\n\n\n        1\n          According to OMB M-07-16, PII refers to information which can be used to distinguish or trace an\n        individual\'s identity, such as their name, Social Security number (SSN), biometric records, etc. alone, or\n        when combined with other personal or identifying information which is linked or linkable to a specific\n        individual, such as date and place of birth, mother\xe2\x80\x99s maiden name, etc.\n        2\n            OMB M-07-16, page 1.\n        3\n            Id.\n        4\n            OMB M-07-16, page 2.\n\x0cPage 2 - The Commissioner\n\n\xef\x82\xb7     reduce the volume of information collected and retained to the minimum necessary;\n\xef\x82\xb7     limit access to only those individuals who must have such access; and\n\xef\x82\xb7     use encryption, strong authentication procedures, and other security controls to\n      make information unusable by unauthorized individuals.\n\nTo meet the OMB requirements, SSA established a PII Executive Steering Committee\n(ESC) to provide oversight as well as make recommendations on Agency PII policy to\nthe Commissioner. SSA also established other groups to oversee the public Internet\nsite and internal Intranet sites. For example, the Agency established the Web Steering\nCommittee (WESCO) to facilitate coordination between responsible components on the\ndevelopment, management, and maintenance of its public Internet site. In addition,\nSSA established Internet and Intranet Application Standards Workgroups to oversee the\nInternet and Intranet sites. By accessing SSA\xe2\x80\x99s Internet site, the public can learn about\nSSA\xe2\x80\x99s programs as well as apply for benefits on-line. Access to SSA\xe2\x80\x99s Intranet sites is\nlimited to Agency employees. By using SSA\xe2\x80\x99s Intranet sites, SSA employees can view\ninformation related to SSA\xe2\x80\x99s operations, policies, training, etc., through computers\nconnected to SSA\xe2\x80\x99s computer networks. 5 The general public cannot view SSA\xe2\x80\x99s\nIntranet sites because they are protected by a firewall. 6\n\nRESULTS OF REVIEW\nOur search of SSA\xe2\x80\x99s Intranet sites detected 179 instances of PII being displayed. We\nfound most of this PII on regional Intranet sites maintained by SSA\xe2\x80\x99s Office of Disability\nAdjudication and Review (ODAR). In addition, we found 11 other instances of exposed\nPII on other SSA Intranet sites containing Agency training manuals. After we notified\nSSA officials about the exposed PII, it was immediately removed from the Intranet sites.\nThe Agency lacked a designated component to monitor PII issues related to SSA\xe2\x80\x99s\nInternet and Intranet sites. Moreover, SSA had not developed clear and relevant\ncontent standards for safeguarding PII on its websites. This lack of controls may have\ncontributed to PII being displayed on SSA\xe2\x80\x99s Intranet sites.\n\nPII ON ODAR\xe2\x80\x99S INTRANET SITES\n\nMost of the exposed PII we detected was on ODAR\xe2\x80\x99s regional Intranet sites. However,\nwe also found instances of displayed PII on other Agency components\xe2\x80\x99 Intranet sites.\n\n\n\n\n5\n    Intranet sites can be password-protected to restrict access to a specific group of SSA employees.\n6\n  A firewall is a software program that acts as a traffic cop and allows only authorized users access to the\ninformation. SSA\xe2\x80\x99s Central Office administers the firewall software.\n\x0cPage 3 - The Commissioner\n\nPII on SSA Intranet Sites Maintained by ODAR\n\nWe found that 2 of ODAR\xe2\x80\x99s regional Intranet sites displayed PII on 168 contractors.\nUsing SSA\xe2\x80\x99s Intranet search engine, we searched the Intranet sites for PII and found\nSSNs, Employer Identification Numbers (EIN), 7 personal addresses, and home\ntelephone numbers related to ODAR\xe2\x80\x99s contractors (see Figure 1). These contractors\ninclude Hearing Reporters, Interpreters, Medical Experts (ME), and Vocational Experts. 8\n\n                        Figure 1: PII Displayed on ODAR\'s Intranet Sites\n                                      by Contractor Position\n\n                           Interpreters\n                               21%\n\n\n                     Hearing\n                    Reporters                                        Medical Experts\n                       9%                                                 44%\n\n\n\n\n                           Vocational\n                            Experts\n                             26%\n\nIn most of the cases, the PII was posted on ODAR regional sites intended to assist\nother regions in processing hearings. To help manage its growing backlog of pending\nhearing claims, ODAR was transferring cases between regions. As a result, hearing\noffices in one part of the country were holding hearings related to claimants in a\ndifferent part of the country. For instance, an ME at the Bronx Hearing Office in\nRegion II 9 might be required to present evidence at a hearing 10 transferred to the\n\n\n\n7\n  An EIN is a nine-digit number the Internal Revenue Service assigns in the following format: XX-\nXXXXXXX. According to the Internal Revenue Service, an EIN is also known as a Federal Tax\nIdentification Number and is used to identify a business entity. Only SSNs/EINs with a person\'s name\nwere included in the number of instances identified where PII was displayed on SSA\'s Intranet sites, while\nEINs with an associated business name were not included.\n8\n See Appendix C for more information on these contractor positions. Prior SSA Office of the Inspector\nGeneral audits addressed the internal use of SSA employee SSNs. See The Social Security\nAdministration\xe2\x80\x99s Internal Use of Employee\xe2\x80\x99s Social Security Numbers (A-13-04-24046), issued August\n2004, and Follow-up: The Social Security Administration\xe2\x80\x99s Internal Use of Employee\xe2\x80\x99s Social Security\nNumbers (A-13-07-27164), issued June 2008.\n9\n    Region II includes New Jersey, New York, and the territory of Puerto Rico.\n10\n     ODAR has been using video hearings for claims that are transferred from one region to another.\n\x0cPage 4 - The Commissioner\n\nPittsburgh, Pennsylvania Hearing Office in Region III. 11 To assist the Pittsburgh\nHearing Office, the contractor\xe2\x80\x99s business information was posted to the Region III\xe2\x80\x99s\nIntranet site. 12 However, in this case, the Intranet site was also displaying sensitive\ninformation, such as the ME\xe2\x80\x99s SSN, EIN, home address, and telephone number. We\nfound that other ODAR regional Intranet sites were better at protecting this PII by only\ndisplaying basic information, such as the contractor\xe2\x80\x99s name and a contact telephone\nnumber.\n\nAfter we notified ODAR about the exposed PII, staff immediately removed the sites.\nMoreover, ODAR staff noted that the Intranet sites in question were no longer being\nused to assist with workloads.\n\nODAR Has a More Secure System to Track Contractor PII\n\nODAR maintains more secure systems to store contractor PII, including the Case\nProcessing and Management System (CPMS) 13 and the Web-Enabled Budget and\nAdministrative Support System (WebBASS). 14 Access to CPMS is based on a user\xe2\x80\x99s\nprofile 15 and therefore has tighter controls for accessing contractor PII. SSA uses\nWebBASS to generate call orders 16 for contractors. Access to WebBASS requires a\nuser name and password. 17\n\nIn addition, ODAR staff stated ODAR\xe2\x80\x99s Division of Information Technology Integration\n(DITI) periodically shares an Excel spreadsheet containing hearing office contractor\ninformation with the regional WebBASS points of contact. This spreadsheet assists the\nhearing offices when cases are transferred within the regions and hearing offices. DITI\nclosely controls this contractor spreadsheet and shares it with ODAR employees on a\nneed-to-know basis.\n\n11\n Region III includes Delaware, Maryland, Pennsylvania, Virginia, West Virginia, and the District of\nColumbia.\n12\n   The regional sites contained other useful information for the assisting hearing office, such as hearing\noffice contacts, mailing addresses and procedures, hearing calendars, and hotel information.\n13\n  CPMS is a web-based, user-friendly system that includes interactive screens, a secure and centralized\nrepository of hearing-related data, scheduling capabilities, hyperlinks to reference material, and interfaces\nwith other SSA systems.\n14\n     SSA uses WebBASS to post and track information about administrative and budgetary items.\n15\n  A user profile is a collection of personal data associated to a specific user and, as such, contains a\ndigital representation of a person\'s identity.\n16\n     A call order is a budget agreement to pay a contractor for its services.\n17\n  CPMS uses a Contractor Key to interface with WebBASS. The Contractor Key is sent from CPMS to\nWebBASS where it is matched with the Contractor\xe2\x80\x99s name, Blanket Purchase Agreement number and\nother identifying information.\n\x0cPage 5 - The Commissioner\n\nPII on Other SSA Regional Intranet Sites\n\nWe found 11 other instances of PII on other SSA Intranet sites. In addition to SSNs, we\nfound personal addresses, home telephone numbers, and wages displayed on these\nIntranet sites. The sites were used for posting training manuals to operate SSA\xe2\x80\x99s\nclaimant tracking systems. Of the 11 instances,\n\n\xef\x82\xb7     7 contained valid SSNs, but the name did not match SSA\xe2\x80\x99s Numident Record, 18 and\n\xef\x82\xb7     4 contained valid SSNs with names that matched SSA\xe2\x80\x99s Numident Record.\n\nWe shared the Intranet links containing PII with SSA\xe2\x80\x99s Webmaster, as well as the web\nmanagers responsible for creating and maintaining these Intranet sites. We suggested\nthat the web managers replace the valid SSNs with invalid SSNs such as those\ncontaining \xe2\x80\x9c00\xe2\x80\x9d in the group number, 19 since SSA does not issue SSNs with this group\nnumber. The web managers either modified or removed the Intranet sites containing\nthe PII.\n\nINTERNAL CONTROLS OVER SSA\xe2\x80\x99S INTERNET AND INTRANET\n\nThe Agency lacked a designated component responsible for overseeing PII-related\nissues on SSA\xe2\x80\x99s Internet and Intranet sites. In addition, SSA has not developed clear,\nrelevant content standards for safeguarding PII on its web sites. This lack of oversight\nmay have contributed to PII being displayed on SSA\xe2\x80\x99s Intranet sites.\n\nLack of PII Controls over the Internet and Intranet\n\nIn our review of the Internet and Intranet workgroups, as well as discussions with staff in\nthe Office of the Chief Information Officer (OCIO) and Office of Communications\n(OCOMM), we learned that while SSA has a number of organizations reviewing either\nPII or the content of the Internet and Intranet sites, no single organization is responsible\nfor preventing PII from being displayed on these sites. For instance, the PII ESC\ncharter does not specifically address the role of the Internet or Intranet sites in\ndisseminating information that could contain PII. 20\n\nMoreover, WESCO\xe2\x80\x99s mission regarding the Internet did not mention the role of the\nCommittee in protecting PII. 21 SSA staff told us that WESCO had coordinated meetings\n\n18\n   SSA\xe2\x80\x99s Numident houses records of original and replacement SSN cards issued over an individual\xe2\x80\x99s\nlifetime, as well as identifying information, such as date of birth, place of birth, and parents\xe2\x80\x99 names.\n19\n  Within each area, the group number (middle two digits) range from 01 to 99 but are not assigned in\nconsecutive order.\n20\n     See Appendix D for more information on the PII ESC.\n21\n     See Appendix E for more information on the WESCO.\n\x0cPage 6 - The Commissioner\n\nwith SSA\xe2\x80\x99s regional Intranet web managers where PII was discussed. However,\nWESCO relied on the regional Intranet web managers to control PII displayed on\nregional Intranet sites.\n\nFinally, we found that while SSA\xe2\x80\x99s Internet and Intranet Application Standards\nWorkgroups have established standards for displaying information on the Agency\xe2\x80\x99s\nwebsites, these standards do not discuss controlling the display of PII. The missions of\nthese workgroups relate more to the design of the application rather than its content. 22\n\nWe also found some general content standards for websites on a Web Governance\nwebsite. The site noted \xe2\x80\x9cSensitive, restricted, or classified information or information\nthat contains PII (such as SSNs) must not be included in any web-based file that could\nbe retrieved using a search engine.\xe2\x80\x9d However, it appeared this guidance was directed\nat only the Internet sites, and it was not clear what component, if any, was required to\nperiodically monitor compliance with this provision.\n\nWe also spoke to OCIO and OCOMM staff to determine what component had overall\nresponsibility for safeguarding PII at the Agency. OCIO sets Agency policy over PII and\nis responsible for ensuring OMB mandates are followed, while OCOMM has control and\nprovides guidance over SSA\'s Internet and Intranet sites. However, neither OCIO nor\nOCOMM developed content standards for safeguarding PII on SSA\xe2\x80\x99s websites, and\nstaff in both offices were unaware of any group charged with this responsibility.\n\nThe lack of oversight may have contributed to the PII problems we found on the Intranet\nsites. Even though the Intranet sites are within SSA\xe2\x80\x99s firewall and is not available to the\npublic, the posted information is still available to employees in SSA and can be retrieved\nusing a search engine. Establishing a workgroup with oversight of PII on the Internet\nand Intranet sites, or adding this to the mission of an existing workgroup, would ensure\nSSA is following the OMB mandates on the protection of PII.\n\nCONCLUSION AND RECOMMENDATIONS\nOur review found PII, including names, SSNs, EINs, home addresses, and wage\ninformation, was being displayed on SSA\xe2\x80\x99s Intranet sites. Agency Web managers took\nimmediate action to modify or remove the identified Intranet sites. However, while the\nAgency has a number of groups monitoring PII as well as the Internet and Intranet sites,\nwe could not locate a single organization responsible for preventing PII from being\ndisplayed on these sites. This lack of oversight may have contributed to PII being\ndisplayed on SSA\xe2\x80\x99s Intranet sites.\n\n\n\n22\n  For example, per the Intranet Application Standards Workgroup\xe2\x80\x99s website, the Workgroup provides the\nAgency with a set of Intranet interface design standards for the development of Intranet applications. The\nStandards provide application developers with a common set of requirements for Webpage, styles,\nwidgets, and controls. The requirements describe how the widget, control, and application should interact\nwith the user in compliance with Agency and Government security policy standards.\n\x0cPage 7 - The Commissioner\n\nTo reduce the risk of PII being displayed on SSA\xe2\x80\x99s Internet and Intranet sites, we\nrecommend that SSA:\n\n1. Designate a component with the responsibility of (a) developing PII safeguard\n   policies over the Internet and Intranet and (b) ensuring adherence with these new\n   policies.\n\n2. Designate a component with the responsibility of periodically reviewing Internet and\n   Intranet sites to ensure employee and contractor PII is protected. Such reviews\n   should become part of the Agency\xe2\x80\x99s internal control structure.\n\nAGENCY COMMENTS\n\nThe Agency agreed with our recommendations. See Appendix F for the full text of\nSSA\xe2\x80\x99s comments.\n\n\n\n                                                S\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Hearing Office Organization Chart and Position Descriptions\n\nAPPENDIX D \xe2\x80\x93 Personally Identifiable Information Executive Steering Committee\n\nAPPENDIX E \xe2\x80\x93 Web Steering Committee\n\nAPPENDIX F \xe2\x80\x93 Agency Comments\n\nAPPENDIX G \xe2\x80\x93 OIG Contacts and Staff Acknowledgements\n\x0c                                                           Appendix A\n\nAcronyms\nALJ       Administrative Law Judge\nCOSS      Commissioner of Social Security\nCPMS      Case Processing and Management System\nDITI      Division of Information Technology Integration\nEIN       Employer Identification Number\nESC       Executive Steering Committee\nHR        Hearing Reporter\nME        Medical Expert\nOCIO      Office of the Chief Information Officer\nOCOMM     Office of Communications\nODAR      Office of Disability Adjudication and Review\nOIG       Office of the Inspector General\nOMB       Office of Management and Budget\nPII       Personally Identifiable Information\nSSA       Social Security Administration\nSSN       Social Security Number\nVE        Vocational Expert\nWebBASS   Web-Enabled Budget and Administrative Support System\nWESCO     Web Steering Committee\n\x0c                                                                        Appendix B\n\nScope and Methodology\nTo accomplish our objective, we:\n\n   \xef\x82\xb7   Reviewed Social Security Administration (SSA) policies and procedures\n       governing the controls over personally identifiable information (PII) as well as\n       employee guidelines established in SSA\'s Information Systems Security\n       Handbook.\n\n   \xef\x82\xb7   Reviewed Office of Management and Budget Memorandum M-07-16\n       Safeguarding Against and Responding to the Breach of Personally Identifiable\n       Information.\n\n   \xef\x82\xb7   Reviewed prior Office of the Inspector General audits on internal use of Social\n       Security numbers (SSN) and controls over PII.\n\n   \xef\x82\xb7   Using SSA\xe2\x80\x99s Intranet search engine, searched SSA\xe2\x80\x99s Intranet sites using the\n       keyword "SSN" to determine whether PII was being displayed on SSA\xe2\x80\x99s Intranet\n       sites. Our search revealed over 80,000 Intranet sites with a reference to the\n       keyword \xe2\x80\x9cSSN.\xe2\x80\x9d We examined the first 280 sites for PII.\n\n   \xef\x82\xb7   Notified SSA\xe2\x80\x99s Webmaster, the Office of Disability Adjudication and Review\xe2\x80\x99s\n       (ODAR) Webmaster, and Regional web managers about the PII found on their\n       Intranet sites. We shared the Intranet links containing the PII with the Web\n       managers. We verified that the Intranet sites containing PII were either removed\n       or appropriately modified.\n\n   \xef\x82\xb7   Interviewed ODAR headquarters and regional office staff, SSA\xe2\x80\x99s Webmaster,\n       staff at the Offices of the Chief Information Officer and Communications, and a\n       member of SSA\xe2\x80\x99s Web Steering Committee.\n\nWe performed our review of SSA\xe2\x80\x99s Intranet sites from December 2008 through\nMarch 2009 in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\x0c                                                                                        Appendix C\n\nHearing Office Organization Chart and Position\nDescriptions\nBelow is an example of a hearing office organization chart for a medium-size hearing\noffice with related position descriptions for contracted personnel who assist the Agency.\n\n\n\n                                             HOCALJ\n           ALJ           ALJ   ALJ                                          ALJ         ALJ        ALJ\n\n\n\n\n                                          Hearing Office\n                                            Director\n\n\n\n                                               Group\n    Contracted Personnel\n                                             Supervisor\n    Hearing Reporters\n    Interpreters\n    Medical Experts\n    Vocational Experts\n                                        Lead Case Technician\n                                        Senior Case Technicians           Attorney Advisers\n                                        Case Technicians                  Paralegal Analysts\n\n\n\n                                                                  Hearing Office Systems Administrator\n    Receptionist\n                                     = Management                              Administrative Assistant\n    Case Intake Analyst\n                                     = Bargaining Unit Position\n    Contact Representative\n                                     = Non-bargaining Position\n\n\n\n\n                                                  C-1\n\x0c                HEARING OFFICE ROLES AND RESPONSIBILITIES\n                       OF CONTRACTED PERSONNEL\n\n   Title                             Roles and Responsibilities\nHearing        The HR\xe2\x80\x99s duties are to\nReporters\n(HR)               \xef\x82\xb7   be present at the designated hearing site on the date and time\n                       specified;\n                   \xef\x82\xb7   set up and test the digital recording equipment;\n                   \xef\x82\xb7   record the proper identification information;\n                   \xef\x82\xb7   monitor the recording equipment to ensure it is functioning\n                       properly and a verbatim record of the hearing proceedings is\n                       made on the CD during the hearing;\n                   \xef\x82\xb7   take notes of hearing testimony, ensuring administrative law\n                       judge (ALJ) directives pertaining to additional evidence and other\n                       needed documents are noted; and\n                   \xef\x82\xb7   place CD in envelope and place with notes in a designated area\n                       in the hearing room after the hearing.\n\nInterpreters   The Social Security Administration provides interpreter services, at no\n               cost, to assist non-English speaking claimants who have difficulty\n               understanding or communicating in English during any part of the\n               hearing process. The interpreter must accurately interpret each word\n               spoken during the hearing for the claimant and, as the claimant\n               answers, listen and render the English version.\n\nMedical        An ALJ may need to obtain an ME\xe2\x80\x99s opinion, either in testimony at a\nExperts        hearing or in responses to written interrogatories, when the\n(ME)\n                  \xef\x82\xb7    ALJ is determining whether a claimant\xe2\x80\x99s impairment(s) meets or\n                       equals a listed impairment(s);\n                  \xef\x82\xb7    ALJ is determining usual dosage and effect of drugs and other\n                       forms of therapy;\n                  \xef\x82\xb7    ALJ is assessing a claimant\xe2\x80\x99s failure to follow prescribed\n                       treatment;\n                  \xef\x82\xb7    ALJ is determining the degree of severity of a claimant\xe2\x80\x99s mental\n                       impairment;\n                  \xef\x82\xb7    claimant or claimant\xe2\x80\x99s representative has requested an ME at the\n                       hearing, and the ALJ agrees ME testimony is necessary;\n                  \xef\x82\xb7    ALJ doubts the adequacy of the medical record in a case and\n                       believes an ME may be able to suggest additional relevant\n                       evidence;\n                  \xef\x82\xb7    medical evidence is conflicting or confusing, and the ALJ believes\n                       an ME may be able to clarify the evidence;\n\n\n\n                                           C-2\n\x0c   Title                            Roles and Responsibilities\nME (Cont.)      \xef\x82\xb7   significance of clinical or laboratory findings in the record is not\n                    clear, and the ALJ believes an ME may be able to explain the\n                    findings and assist the ALJ in assessing their clinical significance;\n                \xef\x82\xb7   ALJ is determining the claimant\xe2\x80\x99s residual functional capacity, for\n                    example, the ALJ may ask the ME to explain or clarify the\n                    claimant\xe2\x80\x99s functional limitations and abilities as established by the\n                    medical evidence of record; or\n                \xef\x82\xb7   ALJ desires expert medical opinion regarding the onset of an\n                    impairment.\n\n             The ALJ must obtain an ME\xe2\x80\x99s opinion, either in testimony at a hearing or\n             in responses to written interrogatories, when the Appeals Council or a\n             court so orders. In addition, the ALJ must use an ME to evaluate and\n             interpret background medical test data.\n\nVocational   An ALJ may need to obtain a VE\xe2\x80\x99s opinion, either in testimony at a\nExperts      hearing or in written responses to interrogatories, when the ALJ is\n(VE)         determining whether the\n\n                \xef\x82\xb7   claimant\xe2\x80\x99s impairment(s) prevents the performance of past\n                    relevant work or\n                \xef\x82\xb7   claimant\xe2\x80\x99s impairment(s) prevents the performance of any other\n                    work and he or she cannot decide the case.\n\n             The ALJ must obtain a VE\xe2\x80\x99s opinion, either in testimony at a hearing or\n             in responses to written interrogatories, when directed by the Appeals\n             Council or a court.\n\n\n\n\n                                         C-3\n\x0c                                                                          Appendix D\n\nPersonally Identifiable Information Executive\nSteering Committee\nIn its April 2008 charter, the personally identifiable information (PII) Executive Steering\nCommittee (ESC) states its purpose as follows.\n\n   At the Social Security Administration (SSA), the Commissioner of Social Security (COSS) is\n   the final decision-maker regarding PII loss notification and remediation policy. The COSS is\n   assisted in this task by the PII [ESC], which provides oversight and recommendations on\n   Agency PII policy. The PII ESC also ensures implementation of the Breach Notification\n   Policy and plan.\n\n   Stakeholders are the Deputy Commissioners and equivalents of the Agency who are\n   responsible for implementation of Government-required PII protection and security policies.\n   The ESC serves as a forum that supports the COSS by ensuring that all components are\n   aware of evolving PII requirements, SSA policies, and their roles and responsibilities with\n   respect to PII policy implementation.\n\nThe core responsibilities of the ESC members include:\n\n   \xef\x82\xb7   Serving as the principal component contact to the ESC for coordination,\n       implementation, and enforcement of breach-related policies;\n   \xef\x82\xb7   Serving as the principal component contact to the ESC for addressing and\n       reporting PII-specific issues for their component;\n   \xef\x82\xb7   Recommending improvements and updates to Agency breach policies and\n       procedures;\n   \xef\x82\xb7   Developing familiarity with Federal and SSA PII directives, policies, procedures,\n       guidelines, and standards. Keeping up-to-date on policy changes and advising\n       their component and Agency management on current and changing\n       requirements;\n   \xef\x82\xb7   Representing their component\xe2\x80\x99s interests to the PII ESC. Ensuring that Federal\n       PII legislation and policies are implemented in their component. Requesting\n       component exceptions to SSA policies and procedures, if exclusion from the\n       standard requirement is warranted;\n   \xef\x82\xb7   Advising Agency management on resources required for implementing breach\n       requirements; and\n   \xef\x82\xb7   Developing and/or coordinating component PII protection and breach programs\n       in conjunction with SSA policies and programs.\n\x0c                                                                        Appendix E\n\nWeb Steering Committee\nThe Web Steering Committee (WESCO) was established as the Social Security\nAdministration\xe2\x80\x99s (SSA) Internet organization responsible for (1) facilitating coordination\nbetween responsible components on the development and management of the\nAgency\xe2\x80\x99s Internet and (2) maintaining the Internet. All components responsible for a\npresence on the Internet are represented in WESCO. In executing its responsibilities,\nWESCO is coordinated closely with the Offices of Communications, Operations, and\nSystems in their respective areas of influence.\n\n   \xef\x82\xb7   Policies: Recommend, interpret, and oversee implementation of the Agency\'s\n       Web policies.\n   \xef\x82\xb7   Standards: Review Agency standards for currency.\n   \xef\x82\xb7   Procedures: Establish procedures for the review and approval of SSA\'s Web\n       products.\n   \xef\x82\xb7   Enforcement: Establish enforcement standards for SSA\'s Web products.\n   \xef\x82\xb7   New and redesigned sites: Review new or substantially revised Web products\n       for adherence to technical, usability, accessibility, and editorial standards.\n   \xef\x82\xb7   Operations: Provide direction, guidance, and training for Web Managers.\n   \xef\x82\xb7   Brief SSA executives on the Agency\'s Web products and consult with them on\n       overall usage of the Web to achieve their goals.\n   \xef\x82\xb7   Interagency: Along with the Chief Information Officer and other appropriate staff,\n       represent and coordinate the Agency\'s involvement in interagency efforts and\n       other outside efforts that impact the content of SSA\'s Website.\n   \xef\x82\xb7   Maintenance: Coordinate with responsible components the maintenance of their\n       Websites.\n\x0c                  Appendix F\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      August 7, 2009                                                       Refer To: S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      Margaret J. Tittel /s/\n           Acting Chief of Staff\n\nSubject:   Revised Comments on the OIG Draft Report, "Protecting Personally Identifiable Information on\n           the Social Security Administration\xe2\x80\x99s Intranet Sites" (A-12-09-29118)--INFORMATION\n\n\n           Thank you for the opportunity to review and comment on the draft report. We appreciate OIG\xe2\x80\x99s\n           efforts in conducting this review. Attached is our revised response to the report findings and\n           recommendations. This response replaces the comments issued on June 24, 2009 and should be\n           included as part of the final report.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                        F-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cPROTECTING PERSONALLY IDENTIFIABLE INFORMATION ON THE SOCIAL\nSECURITY ADMINISTRATION\xe2\x80\x99S INTRANET SITES\xe2\x80\x9d (A-12-09-29118)\n\n\nWe reviewed the draft report findings and recommendations. We are pleased with the report\xe2\x80\x99s\nacknowledgement that we removed Personally Identifiable Information (PII) from the websites\nidentified in this review. Below please find responses to the specific recommendations.\n\nRecommendation 1\n\nDesignate a component with the responsibility of (a) developing PII safeguard policies over the\nInternet and Intranet and (b) ensuring adherence with these new policies.\n\nComment\nWe agree with the intent of the recommendation. We have long-standing policies that govern\nthe protection and disclosure of the information we maintain. These policies apply regardless of\nhow the information is stored (i.e., paper, electronic, or online). Since 2006, the Office of the\nChief Information Officer (OCIO) has been responsible for issuing comprehensive agency PII\npolicy, which covers the Internet and Intranet. OCIO published a compilation of all PII policies\nand recently released a PII Frequently Asked Questions guide. OCIO will work with our\ncomponents to ensure adherence to our PII policies, including the Internet and Intranet.\nRecommendation 2\n\nDesignate a component with the responsibility of periodically reviewing Internet and Intranet\nsites to ensure employee and contractor PII is protected. Such reviews should become part of the\nagency\xe2\x80\x99s internal control structure.\n\nComment\n\nWe agree that periodic reviews of both the Internet and Intranet environments will help ensure\nno PII resides on those sites. We believe that our current process, whereby the component of\njurisdiction is responsible for ensuring that PII is not present on the Internet and Intranet, is a\nmore efficient and effective review. However, given our commitment to protecting the sensitive\ninformation we maintain, OCIO will work with the Office of Systems and the Office of\nCommunications to investigate the availability and suitability of automated tools to improve\nthese reviews.\n\n\n\n\n                                               F-2\n\x0c                                                                     Appendix G\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Walter Bayer, Director, Chicago Audit Division\n\n   Nicholas Milanek, Audit Manager, Falls Church Office\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Yaquelin Lara, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-12-09-29118.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'